CVE-2022-30122: 
Ruby vulnerability analysis and mitigation

A denial of service vulnerability exists in Rack's multipart parsing component, affecting versions from 1.2 up to (but not including) 2.0.9.1, 2.1.4.1, and 2.2.3.1. The vulnerability was discovered in May 2022 and has been assigned CVE-2022-30122 (Ruby Rails).

The vulnerability exists in the multipart parsing component of Rack. When processing multipart POST requests, the parser can be forced to take significantly longer than expected to process the input. This affects code that uses Rack's multipart parser directly through Rack::Multipart.parse_multipart(env) or indirectly through request.POST or request.params calls (Ruby Rails). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

Successful exploitation of this vulnerability could lead to a denial of service condition. Carefully crafted multipart POST requests can cause Rack's multipart parser to consume excessive processing time, potentially making the service unavailable (Ruby Rails, Gentoo).

The vulnerability has been fixed in versions 2.0.9.1, 2.1.4.1, and 2.2.3.1. Users are advised to upgrade to these or later versions as there are no feasible workarounds for this issue. For users unable to upgrade immediately, patches are available for the 2.0, 2.1, and 2.2 series (Ruby Rails).